More Mac malware madness: No password required

When Mac Defenderfirst reared its ugly head, the malware program aimed at Mac OS X required a victim to enter the computer’s administrative password to install it. That meant a user had to give explicit permission to put the program on a system.

But like the most dominant form of malware now bedeviling Windows users, Mac Defender presented itself as an anti-spyware title, when it actually is just the opposite. Many users were tricked into installing it and entering that password.

No longer. A new variant of Mac Defender – this one known as MacGuard – doesn’t require an administrative password to install. It is placed in the user’s Applications folder, rather than the systems-level Applications folder, which does not require administrative permissions.

And, if you are using Apple’s own Safari browser and have it set to automatically launch files you download, the installer will launch itself on its own.

Bott cited Intego, a company that makes security software, as finding the new version, which appears to be by the same author who created Mac Defender. An Intego blog post describes what happens:

If Safari’s “Open ‘safe’ files after downloading” option is checked, the package will open Apple’s Installer, and the user will see a standard installation screen. If not, users may see the downloaded ZIP archive and double-click it out of curiosity, not remembering what they downloaded, then double-click the installation package. In either case, the Mac OS X Installer will launch.

Unlike the previous variants of this fake antivirus,no administrator’s password is required to install this program. Since any user with an administrator’s account – the default if there is just one user on a Mac – can install software in the Applications folder, a password is not needed. This package installs an application – the downloader – named avRunner, which then launches automatically. At the same time, the installation package deletes itself from the user’s Mac, so no traces of the original installer are left behind.

If you use Safari on the Mac, you should stop what you’re doing and check to see if your copy of the browser is set to automatically open files after downloading. Go to Safari > Preferences > General.

(I was giving a presentation on Saturday about Mac malware to the Houston Area Apple Users Group and someone asked me where this setting was. I checked Safari’s preferences – while my computer was connected to HAAUG’s projector – only to discover that I still had that item enabled! I use Chrome, not Safari, so I had not made this change. It was a good lesson for the HAAUG audience . . . and for me!)

This exact setting isn’t found on the Windows version of Safari. Instead, you’ll see an item that says “Always prompt before downloading”. It should be checked.

Although the settings aren’t exactly equivalent, the Windows default configuration of Safari is actually a more cautious one than the Mac version.

If you’re a Mac user, you’ll want to stay on top of developments regarding this flavor of malware. Apple’s clearly got a malware arms race on its hands, and may be about to face the kind of escalation that Microsoft learned from years ago.

It’s time for those of us in the Mac community to start paying more attention to security issues—not because Apple is issuing a patch, but because, even if our Macs aren’t the target, we are. We’re going to see more attacks—some technical, some not—and we need to realize that we can all be fooled at least once. As Windows gets more secure, and Macs more popular, it only makes good business sense for criminals to start moving in our direction.

We are most likely transitioning to a state of constant, low-level crime and harassment that relies as much on fooling us as cracking our Macs—and probably some combination of the two. Bad guys will always go after the easiest, most cost-effective target. As operating system vendors continue to tighten the screws, the targets will likely shift to Web services, getting us to install the software ourselves, and traditional scams.

Actually, we’re already there.

• Then, read this explainer on how the latest variant of Mac Defender works, from Sophos. It includes detailed screenshots of the new version, MacGuard, in action. Sophos claims its free Mac antimalware product will protect Mac users. I’ve installed it on my Macs.